Certifications and Codes of Conduct


    Certifications and Codes of Conduct

    Certification schemes and Codes of conduct are established under the GDPR as an accountability element to demonstrate the organizations’ compliance with privacy laws and to facilitate data transfers or vendor management.

    Last Updated: July 30, 2019

  • Certifications

    Certification schemes exist to encourage and demonstrate compliance with data protection standards. GDPR Article 43 sets the criteria and procedure for accrediting certification bodies. Article 43(1) requires the Member States to ‘ensure’ that certification bodies are accredited by a supervisory authority.

    Datatilsynet Certification Guidance

    Danish Data Protection Authority, Datatilsynet, has issued Guide to Code of Conduct and Certification. It explains what a certification scheme is, what a certification scheme can be used for how to get a certification scheme and how to become accredited as a certification body. For instance, Datatilsynet highlights how the requirements and certification criteria are related to the processing activities. A certification can, for example, concern the collection, registration, pseudonymization or deletion of personal data by an organization or an institution. On the other hand, certification under the GDPR cannot relate to the actual IT system in which the processing activities take place.

    If a company or an institution obtains a certification, the company or institution concerned will receive a proof, for example, a certificate (or a mark) certifying that the company or an institution has become accredited under a certification scheme and thus should perform a processing activity in a specific manner as required by the certification scheme. A company or an institution that has obtained a certification will probably – on the basis of the certification scheme – be able to display a certificate (or mark) on its website or attach it as an attachment to an agreement, thus informing other parties that the company or the institution complies with the requirements and criteria contained in the certification scheme.

    Contrary to the GDPR provisions on codes of conduct, the provisions on certification do not contain any instructions on who should take the initiative to establish a certification scheme. In practice, it will probably be a company that can see business potential in accrediting as a certification body in relation to a specific processing activity. For example, a company that has deep expertise in pseudonymization of health information, and reasonably assumes that, for example, a large number of researchers might be interested in getting certified in pseudonymization. When an enterprise is able to see business potential in accrediting, this is due to the fact that there will be costs associated with accrediting as well as the costs associated with maintaining its accreditation. See more in the Datatilsynet Guidelines – including the step-by-step envisioned process of certification approval in Denmark.

    Accreditation As Certification Body

    If companies wish to be accredited as certification bodies, in Denmark, they may in principle be accredited as a certification body by either 1) Data Inspectorate or 2) The Danish Accreditation Body (DANAK). In practice, however, DANAK will be responsible for accreditation of certification bodies, as DANAK has extensive experience in doing accreditation in other areas. It is thus DANAK that a company must contact if it wishes to be accredited as a certification body. The Data Inspectorate, in cooperation with DANAK, has established the rules for accreditation of certification bodies in Denmark in accordance with Article 43 1 (b) of the Data Protection Regulation and Regulation (EC) No 765/2008. The rules are published in an accreditation message (AMC 31) on DANAK’s website. It has not yet been decided whether the Data Inspectorate will lay down additional requirements, as well as what these requirements should be. Any additional requirements will be announced no later than 2018.

    From 25 May 2018, the Data Inspectorate will publish a list of approved certification schemes on its website. On the DANAK website, you can also find an overview of accredited certification bodies.

  • Codes of Conduct

    The GDPR Art. 40 recommends for organizations to use Codes of Conduct as a voluntary tool for proper and effective GDPR application. Codes of conduct should be tailored to reflect specific needs of various sectors and sizes of organizations. Trade associations or bodies representing a sector can create codes of conduct to help their sector comply with the GDPR in an efficient and cost-effective way. Furthermore, Codes of Conduct are a strong accountability and compliance indicator towards the regulator, public, and business partners.

    Datatilsynet Codes of Conduct Guidance

    Danish Data Protection Authority, Datatilsynet, has issued Guide to Code of Conduct and Certification. The Guide highlights the benefits of Codes of Conduct for various elements of the GDPR compliance, including practical examples and notes. It also contains instructions on how to draft a code of conduct and what are the minimum content requirements.

    Datatilsynet outlines a list of content requirements that should at least be touched on in the code of conduct submitted for approval in order to contain sufficient guarantees:

    • A code of conduct must focus on a well-defined category of data controllers or data processors. The code must thus clearly indicate the types of organizations or sectors to which it intends to apply.
    • A code of conduct must address specific and well-defined processing activities that are typical of the above categories of data controllers and data processors.
    • A code of conduct must be carefully prepared and in this relation, it should be possible to hear opinions of relevant stakeholders, including, as far as possible, those registered or their representatives, for example, the consumer council or similar bodies.
    • A code of conduct must contain guidelines aimed at specific processing situations relevant to the industry or similar to which the code is addressed. The guidelines may be related to the daily activities and the possible unusual daily situations that the processing activities may involve, as well as setting specific safeguards for limiting the risks identified in relation to the processing activities.
    • A code of conduct must contain specific guidelines that help ensure that the relevant data controller or data processor complies with the GDPR when following the code of conduct. The code must therefore adequately focus on specific data protection issues and problems found in the organization or sector to which the code applies and provide sufficiently clear solutions to these issues and problems. In this regard, relevant competencies, such as professional, legal and IT security, should be included in the preparation.
    • A code of conduct must contain mechanisms that enable an inspection body to check whether the data controller or data processor who has adhered to a code of conduct actually complies with the rules of the code. These control mechanisms can be of technical and organizational nature.
    • For any code of conduct, there must be a central body (e.g. an industry organization) that ensures that the code is regularly updated and adapted, for example in relation to data surveillance practices etc.
    • A code of conduct should (at least if you want to rely on the code in compliance with the GDPR) contain a control mechanism that enables a control body to monitor compliance with the code. The inspection body must be accredited by the Data Inspectorate.
    • A code of conduct may contain a provision containing the following wording: “Compliance with this Code of Conduct does not exempt data controllers or data processors from complying with the General Data Protection Regulation, as well as compliance with this code does not affect the powers or duties of the Data Inspectorate, including in terms of compliance with the provisions of this Code.

    Related Resources

    Denmark Codes of Conduct Resources

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.